墓志铭 Epitaph

This skill is coherent with its goal (it needs a browser plugin and in‑browser scripts to read logged‑in social pages), but it does a number of things you should review before installing: - It will attempt to auto-download and place a ManoBrowser plugin/skill from GitHub into your skills directory (uses git/curl/unzip). Prefer to perform that install manually after you review the repository and a specific commit hash. Do not allow silent, unattended downloads. - The skill runs JavaScript inside your browser (via chrome_execute_script) that reads cookies, page JS objects (window.__INITIAL_STATE__, window.$CONFIG), and performs XHR interception — this gives it access to anything your logged‑in browser can see. Only run it on accounts you trust and on machines you control. - The workflow expects an MCP endpoint + API key (ManoBrowser configuration). Verify where that MCP endpoint points and that it is a trusted/local device; if the MCP endpoint is remote or you don't control it, scraped data (or browser control) could be transmitted off your machine. Do not use unknown endpoints. - Metadata omits required tools (git/curl/unzip) and credential/config expectations; treat that as a packaging/quality issue. Ask the skill author to declare required binaries and to provide checksums or pinned commits for any automatic downloads. - If you decide to try it: 1) manually clone and inspect the ManoBrowser repo and this skill's JS scripts before running; 2) prefer manual installation and explicit consent prompts rather than automatic install; 3) test on a throwaway account first; 4) ensure epitaph-data/ is stored locally and that no upload occurs to unknown servers. What would change this assessment: explicit, pinned install artifacts (commit hashes/checksums), a declared install spec rather than silent cloning, and clear instructions ensuring MCP endpoint is local/trusted (or a guarantee that no remote upload occurs). If the skill required and declared those items, its classification could move toward benign.